Professional Documents
Culture Documents
Cloud Security Faq
Cloud Security Faq
Cloud Security Faq
Cloud Security
Frequently Asked Questions
WHITE PAPER
Introduction
ServiceNow’s security team has compiled a list of frequently asked questions about
our cloud security processes and the physical, administrative, and logical controls
we have in place.
Please see Securing the Now Platform for more information on ServiceNow’s security
program.
Please note, all information in this document is related to the standard Now
Platform commercial environment. For information related to ServiceNow’s in-
country cloud offerings around the globe and how they may differ, please contact
your ServiceNow account representative.
WHITE PAPER
Table of Contents
Data access.............................................................................................................5
Who has access to customer data?................................................................................. 5
Which authentication methods are available to customers?.................................. 5
What password policies can customers use?................................................................ 5
How do ServiceNow employees access the cloud infrastructure?......................... 5
Data residency........................................................................................................6
Where is customer data hosted?....................................................................................... 6
Where are the data centers located?.............................................................................. 6
Can customers have their data stored in a single data center?............................ 6
Can customers use one of ServiceNow’s data centers and pair it with
one of their own?..................................................................................................................... 6
Is customer data transferred around the world?.......................................................... 6
Data backups..........................................................................................................6
How is data backed up, and how often?........................................................................ 6
How long is backed up data kept?................................................................................... 6
Are backups encrypted?....................................................................................................... 6
Does ServiceNow take tape backups offsite?............................................................... 6
Can customers restore data if they need to?................................................................ 6
Encryption................................................................................................................ 7
What options are available for customers to encrypt their data?..........................7
How is data encrypted in transit?.......................................................................................7
Logging.................................................................................................................... 7
Can customers see ServiceNow’s firewall and infrastructure logs?.........................7
How long are the logs available?........................................................................................7
Testing...................................................................................................................... 7
Can customers perform load testing?...............................................................................7
Can customers perform a penetration test on their ServiceNow instance?.........7
What should customers do if they discover a vulnerability?.....................................7
Can customers audit ServiceNow?................................................................................... 8
Software updates....................................................................................................8
Do software updates and patches happen automatically?.................................... 8
Why do instances need to be patched?......................................................................... 8
When do customers need to upgrade their instances?............................................. 8
Can customers roll back an update?................................................................................ 8
Customer support...................................................................................................8
Can customers have in-country only support?............................................................. 8
Can customers have dedicated or named support people only?......................... 8
WHITE PAPER
Mobile applications................................................................................................9
What do customers need to know about mobile app security?............................ 9
How can customers control what mobile users can access?................................... 9
How is mobile app data secured?..................................................................................... 9
Administrative procedures.....................................................................................9
How does ServiceNow onboard/offboard its personnel?......................................... 9
Can customers perform background checks on ServiceNow personnel? ........... 9
Does ServiceNow use subcontractors?.......................................................................... 10
Does ServiceNow perform vendor risk assessments (VRAs)?.................................. 10
Miscellaneous questions....................................................................................... 10
How do Customers find their instance IP address?.................................................... 10
Can ServiceNow help me understand what types of data I have,
and whether it falls under privacy laws, e.g. GDPR, PCI-DSS, HIPAA? ................ 10
Can customers install their own hardware/software in ServiceNow’s cloud?.. 10
Does ServiceNow have a disaster recovery plan?.......................................................11
What happens to a customer’s data if they stop being a Customer?.................11
How do customers access their database dump?......................................................11
What is ServiceNow’s data destruction process?........................................................11
How can customers communicate with ServiceNow?................................................11
Resources ................................................................................................................12
WHITE PAPER
Data access
Who has access to customer data? ServiceNow operates
Customer data can be accessed via both the application and the infrastructure. data centers in North
Customers can control access to their data at the application layer via Access Control
Lists (ACLs). Default ACLs are available out-of-the-box and can be customized to suit.
and South America,
ServiceNow does not require access to customer data via the infrastructure layer Europe, United
during normal service provision. However, if issues arise which cannot be resolved by Kingdom, South East
the platform’s automation capabilities, a ServiceNow cloud administrator may need to
access servers or database systems for investigation and resolution. All activity of this Asia, Japan, and
type is logged. Australia.
ServiceNow support representatives may need access to a customer’s instance to
resolve customer-raised issues. Any such application layer access is recorded in the
system logs and identified with a username ending in ‘@snc ’.
Customers may prevent application layer access by ServiceNow by enabling the
ServiceNow Access Control (SNAC) plugin. SNAC requires explicit approval to be given
by the customer before instance access is allowed. Enabling SNAC will delay progress
on support activities requiring instance access until the customer grants access.
Multiple preventative and detective controls have been implemented to prevent
unauthorized access to infrastructure. These are documented in the SOC 2 Type 2
report which is available to customers in the CORE compliance portal. Find out how to
access the CORE Compliance Portal here.
5
WHITE PAPER
Data residency
Where is customer data hosted?
Customer data is hosted in data center (DC) pairs within the region selected by the customer. Regional DC pairs are pre-defined by
ServiceNow. There is no defined primary and secondary site within a DC pair, but an individual instance will be served from one of
the DCs at any given time until transferred to the other. Data center transfers are transparent to the end-user.
Can customers use one of ServiceNow’s data centers and pair it with one of their own?
ServiceNow provides leading compliance, security, and availability built on a highly standardized platform. Achieving industry-
leading availability and security would not be feasible, nor technically achievable, using resources outside of ServiceNow’s own
environment.
As such, we do not allow customers to use their own data centers, but customers may choose to export their data into their own
environment on a regular schedule.
Data backups
How is data backed up, and how often?
For production instances, data is backed up to disk within that instance’s data center pair. Sub-production instances exist in and
are backed up to a single data center only. Full backups are taken weekly, with differential backups made daily in between.
See the Backup and Restoration SOP in CORE for more information. Find out how to access the CORE Compliance Portal here.
Encryption
What options are available for customers to encrypt their data at rest?
The Now Platform allows several options for encrypting data at rest. Customers may choose a combination of:
• Column Level Encryption (CLE) and CLE Enterprise (CLEE) provides role-based symmetric data encryption for supported data
fields.
• Database Encryption protects data in ServiceNow storage in case of physical disk/server loss or theft. Database Encryption
encrypts data within the database table; data is only decrypted while it’s being accessed.
• Cloud Encryption protects data in ServiceNow storage in case of physical disk/server loss or theft, Cloud Encryption encrypts
the database’s storage volume at rest, and ensures compatibility with future database technology enhancements.
• Edge Encryption encrypts or tokenizes data onsite before it is sent to a ServiceNow instance.
• Full Disk Encryption protects data in ServiceNow storage in case of physical disk/server loss or theft, it also uniquely requires
customers to also purchase a dedicated environment for hardware encryption.
CLE, CLEE, and Cloud Encryption all use the NIST 800-57 compliant Key Management Framework (KMF), which provides
comprehensive key lifecycle management.
More information is available in the ServiceNow Data Encryption eBook.
Logging
Can Customers see ServiceNow’s firewall and infrastructure logs?
Customers are free to access their own instance’s audit and monitoring logs, but not those of the wider ServiceNow infrastructure,
because this could include other customers’ activity. ServiceNow can however, share redacted logs in the case of a security
incident.
Testing
Can customers perform load testing?
Customers may perform load testing only by pre-arrangement, and on an isolated environment provisioned specifically for this
purpose. This ensures testing can be carried out correctly and without impacting other customers. Please contact your ServiceNow
account representative if you would like to request a load test.
7
WHITE PAPER
Customer support
Can standard commercial customers have in-country only support?
For information about a specific ServiceNow in-country cloud offering, please discuss
specific support options with your account representative.
US-only support is available for a fee for any entity that requires their support to be
exclusively provided by ServiceNow US Person/US Soil personnel. In all other regions,
ServiceNow provides the option of 24/7 Customer support - with 12/5 as the standard
offering - using a ‘follow-the-sun’ model. This entails provision from different global
locations throughout the day. These locations are: San Diego, Kirkland, London,
Amsterdam, Orlando, Sydney, Hyderabad, Dublin, and Tokyo.
8
WHITE PAPER
A customer may also optionally subscribe to the Support Account Manager service
for a dedicated point of contact for support and other relevant matters. Contact your
ServiceNow account representative for further information.
Mobile applications
What do customers need to know about mobile app security?
ServiceNow has developed new native mobile apps for iOS and Android. These apps
use OAuth 2.0 and benefit from the robust authentication mechanisms (optionally
augmented with multi-factor authentication) that customers already use with
ServiceNow, including SAML, LDAP, Adaptive authentication, and local authentication,
along with AppAuth.
Security information on these new mobile applications along with configuration best
practices can be found in our Mobile security overview.
Administrative procedures
How does ServiceNow onboard/offboard its personnel?
Onboarding: ServiceNow human resources security starts at the very beginning of
the employment process with ServiceNow. Mandatory screening includes criminal,
employment, financial, citizen checks, and government watch lists, as well as drug
tests in applicable jurisdictions. Failure to pass these tests will result in disqualification
or a follow-up investigation, depending on the nature of the non-compliance.
Once employed, every new member of staff must sign a non-disclosure agreement,
sign the ServiceNow Code of Conduct and Ethics Agreement, read and accept
the ServiceNow Acceptable Use Policy, and undergo annual security training and
compliance training.
Offboarding: ServiceNow has a standard operating procedure that involves both HR
and IT. When an employee is departing, HR informs IT of their last day of service and
based on their role, IT removes their access. The stated time to do this is within 24
hours of the employee leaving, however, in practice it generally happens much sooner
than this.
9
WHITE PAPER
Miscellaneous questions
How do customers find their instance IP address?
Customer instances use IP addresses from an 8-address (/29) subnet. Find out more about identifying the IP of your instance here.
Can ServiceNow help me understand what types of data I have, and whether it falls under privacy laws, e.g. GDPR, PCI-DSS,
HIPAA?
The Data Classification feature allows customers to understand where specific data is present within their Now Platform instances,
and to report on or create dashboards to better understand data categories in use. This assists in meeting statutory or regulatory
requirements such as GDPR, PCI-DSS or HIPAA.
Can customers install their own hardware or software in the ServiceNow cloud?
As is the case with most cloud providers, it is not possible for customers to install their own hardware or software in the ServiceNow
cloud. Instances of the Now Platform are delivered using a completely standardized cloud infrastructure. The entire environment is
under the complete control and management of ServiceNow on behalf of its customers. Now Platform instances are very flexible
10
WHITE PAPER
and can be configured and customized as required, including the use of customer-
generated code.
11
WHITE PAPER
Resources
There is a wealth of information available online in the following publicly accessible locations:
• Product Documentation
• Community Support
• ServiceNow Trust Site
Existing Customers can also access the following resources:
• CORE
• Trust and Compliance Center
• General Technical Support
• ServiceNow Security Best Practice Guide
© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the
United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.
servicenow.com 12